GDPR effects on Gift Aid. Presented by Keren Caird Business Development Gift Aid Manager Sue Ryder

Similar documents
Contract Services Europe

Data Protection Policy

This article will explain how your club can lawfully process personal data and show steps you can take to ensure that your club is GDPR compliant.

Element Finance Solutions Ltd Data Protection Policy

Creative Funding Solutions Limited Data Protection Policy

Islam21c.com Data Protection and Privacy Policy

Rights of Individuals under the General Data Protection Regulation

PS Mailing Services Ltd Data Protection Policy May 2018

Data Protection Policy

Privacy Policy. Data Controller - the entity that determines the purposes, conditions and means of the processing of personal data

- GDPR (General Data Protection Regulation) is the new Data Protection Regulation of the European Union;

General Data Protection Regulation (GDPR) Key Facts & FAQ s

Data Protection Policy

GDPR data subject rights

Part B of this Policy sets out the rights that all individuals have in relation to the collection and use of your personal information

Data Subject Access Request Form

Privacy Policy Hafliger Films SpA

CITY SECURITY MAGAZINE

BELLISSIMA BEAUTY SALON PRIVACY NOTICE

Privacy Policy. In this data protection declaration, we use, inter alia, the following terms:

About Us. Privacy Policy v1.3 Released 11/08/2017

RVC DATA PROTECTION POLICY

PRIVACY NOTICE (TIER 4)

Privacy Policy CARGOWAYS Logistik & Transport GmbH

Link Exhibitions Privacy Policy

DEPARTMENT OF JUSTICE AND EQUALITY. Data Protection Policy

Requirements for a Managed System

Privacy and Cookies Policy

The isalon GDPR Guide Helping you understand and prepare for the legislation

the processing of personal data relating to him or her.

INFORMATION NOTE ON DATA PROCESSING

GDPR - Are you ready?

Data Subject Requests Procedure

GDPR Data Protection Policy

A Homeopath Registered Homeopath

Technical Requirements of the GDPR

Our Data Protection Officer is Andrew Garrett, Operations Manager

Promise Dreams Privacy Policy

EIT Health UK-Ireland Privacy Policy

PRIVACY POLICY. Introduction:

Data Protection Policy

This Policy has been prepared with due regard to the General Data Protection Regulation (EU Regulation 2016/679) ( GDPR ).

Cellular Solutions and Services Limited and Cellular Solutions and Network Services Privacy Policy

Personal Data Protection Policy

Wonde may collect personal information directly from You when You:

Little Blue Studio. Data Protection and Security Policy. Updated May 2018

Kidenza Community Interest Company PRIVACY POLICY

Privacy Notice For Ghana International Bank Plc customers

Information you give us when you sign up to the World Merit Hub. In addition, when you sign up to the World Merit Hub, we will usually ask for:

Data Protection policy

PRIVACY POLICY PRIVACY POLICY

Privacy Notice Alumni

Beam Suntory Privacy Policy WEBSITE PRIVACY NOTICE

Privacy Policy Inhouse Manager Ltd

Data protection is important to us

M T BUCKLEY & Co Chartered Accountants

Made In Hackney Data Protection Policy Last Updated:

ACCOUNTING TECHNICIANS IRELAND DATA PROTECTION POLICY GENERAL DATA PROTECTION REGULATION

volcanic Better People Technology Setting up your website to help you achieve GDPR compliance

HBW LAW LTD T/A HESELTINE BRAY & WELSH

Privacy Notices under #GDPR: Have you noticed my notice?

Index Introduction... 3

Privacy Policy Kühnreich & Meixner GmbH Kühnreich & Meixner GmbH Kühnreich & Meixner GmbH Kühnreich & Meixner GmbH 1. Definitions

Personal Data Privacy Policy Updatedt: December 2018

1 About GfK and the Survey What are personal data? Use of personal data How we share personal data... 3

Website Privacy Policy

About Mark Bullock & Company Chartered Surveyors

Latest version, please translate and adapt accordingly!

Wesley House data protection statement and privacy notice (short-course delegates)

DATA PROTECTION POLICY

INNOVENT LEASING LIMITED. Privacy Notice

Website Privacy Notice

What You Need to Know About Addressing GDPR Data Subject Rights in Pivot

Privacy and Data Protection Policy

GLOBAL DATA PROTECTION POLICY

This privacy policy describes how Stockholm Design Lab Aktiebolag ( SDL ) processes personal data regarding our clients contact persons.

Privacy Notice. Lonsdale & Marsh Privacy Notice Version July

Privacy Policy Identity Games

SCALA FUND ADVISORY PRIVACY POLICY

COMPUTAMATRIX LIMITED T/A MATRICA Data Protection Policy September Table of Contents. 1. Scope, Purpose and Application to Employees 2

Privacy Statement for Use of the Trust Service of Swisscom IT Services Finance S.E., Austria

Toucan Telemarketing Ltd.

Haaga-Helia University of Applied Sciences Privacy Notice for Urkund Plagiarism Detection Software

FAST Data Protection Policy

MBNL Landlord Privacy Notice. This notice sets out how we handle landlord personal data as part of our General Data Protection policies (GDPR).

A1 Complete Plumbing and Heating Limited Job Applicant Privacy Notice

GDPR Privacy Policy. The data protection policy of AlphaMed Press is based on the terms found in the GDPR.

Privacy Statement for Use of the Certification Service of Swisscom (sales name: "All-in Signing Service")

HOW TO EXERCISE YOUR DATA SUBJECT RIGHTS

WE ARE COMMITTED TO PROTECTING YOUR PERSONAL DATA

DATA PROTECTION POLICY THE HOLST GROUP

Our Data Privacy Statement Scope Responsibilities

British Handball Association: Privacy Policy

Sketching for UX Designers Website & Newsletter Privacy Policy

More detailed information, including the information about your rights is available below.

GLOBAL DATA PROTECTION POLICY

Online Ad-hoc Privacy Notice

CEM Benchmarking Privacy Policy

SYDNEY FESTIVAL PRIVACY POLICY

Identity of the controller: CHARVAT CTS a.s., ID No.: , with the registered office at Okrinek 53, Podebrady, Czech Republic, Postcode

Transcription:

GDPR effects on Gift Aid Presented by Keren Caird Business Development Gift Aid Manager Sue Ryder

Accountability Processed lawfully, fairly and in a transparent manner Collected for specified, explicit and legitimate purposes Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed Accurate, kept up to date

Accountability Kept in a form which permits identification of data subjects for no longer than necessary for the purpose for which the data is processed Security the controller shall be responsible for, and be able to demonstrate, compliance with the principles

Lawful processing For processing to be lawful under the GDPR, you need to identify a lawful basis for processing data and document this Processing is necessary for compliance with legal obligation - Gift Aid

Individuals Rights The right to be informed provide fair processing information typically through a privacy notice. The information must be consise, transparent, intelligible and easily accessible, written in clear and plain language

The Right to be informed Information that must be supplied at the time the data is obtained privacy statement Identify and contact details of the data controller Purpose for the processing and lawful basis for the processing The legitimate interests of the controller Any recipient of the personal data

Right to be informed Information that must be provided at the time the data is obtained privacy statement Retention period The existence of each of data subject s rights The right to withdraw consent at any time, where relevant The right to lodge a complaint with the ICO The existence of automated decision making, including profiling

The right of access Individuals will have the right to obtain Confirmation that their data is being processed Access to their personal data Provide this information free of charge This information must be provided within one month of receipt

The right of access You must verify the identity of the person making the request using reasonable means If the request is made electronically, you should provide the information in electronic format Recommendation to provide remote access to a secure self service system

The right to rectification Individuals are entitled to have personal data rectified if it is in inaccurate or incomplete If you have disclosed the personal data, in question, to third parties, you must inform them of the rectification, where possible You must respond within one month

The right to erasure or right to be forgotten Does not provide an absolute right to be forgotten. Individuals have a right to have personal data erased if The data is no longer necessary in relation to the purpose for which is was originally collected/processed When the individual withdraws consent

The right to erasure or right to be forgotten Does not provide an absolute right to be forgotten. Individuals have a right to have personal data erased if When the individual objects to the processing and there is no overriding legitimate interest for continuing the processing The data was unlawfully processed The personal data has to be erased to comply with legal obligation

The right to erasure or right to be forgotten You can refuse to comply with a request to comply with a legal obligation Gift Aid

The right to object Individuals have the right to object to Processing based on legitimate interests Direct marketing Processing for purposes of scientific/historical research and statistics

The right to object You must stop processing personal data unless: you can demonstrate compelling legitimate grounds for processing the processing is for the establishment, exercise or defence of legal claims You must stop processing data for direct marketing as soon as you receive an objection

Accountability and Governance Requires you to demonstrate that you comply with the principles and states explicitly that this is your responsibility. Implement appropriate technical and organisational measures that ensure and demonstrate that you comply Maintain relevant documentation on processing activates

Breach notification A personal data breach means a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This means that a breach is more than just losing personal data. inform the relevant supervisory authority Inform those concerned directly 72 hours to report serious breach

Communicating Privacy Information Privacy Statement must contain - Lawful basis for processing Retention periods The right to complain to ICO Lawful Basis compliance, accountability Legitimate Interest

GDPR - Consent Consent must be a freely given, specific, informed and unambiguous indication of the individuals wishes. There must be some form of clear affirmative action, a positive opt in. Consent can not be inferred from silence, pre-ticked boxes or inactivity. Must be separate from other terms and conditions You can rely on other lawful bases apart from consent, example where processing is necessary for legitimate interests Separate communication for opt in and opt out

GDPR consent checklist Check that consent is the most appropriate lawful basis for processing Make the request for consent prominent and separate from your terms & conditions Ask for positive opt in Don t use any type of consent by default Specify why you want the data and what you are going to do with it Give granular options to consent

GDPR consent checklist Name your organisation and any third parties Inform individuals they can withdraw their consent Ensure they can refuse consent without detriment Do not make consent a precondition of a service Keep a record of when and how consent was given by an individual, or withdrawn Keep a record of exactly what they were told at the time

What we need to consider Greater control transparency for opt in Purpose of communication Newsletter Events Fundraising Campaigning

What we need to consider Greater control transparency for opt in Communication by what method Post Email Telephone SMS Social media

HMRC - Compliance Retention period 6 years for audit purposes Enduring declaration forms Up to date records Communicating with donors notification for standard method, end of year statements for method A & B

What we need to consider HMRC legal Analysis we are not Data Controllers in common with HMRC HMRC Privacy Statement - as we are passing our data to them. Link Gov.UK website Transparently & Accountability Legitimate Interest sharing information, will they share with us? Yes on a individual basis if necessary for tax compliance purposes

What we need to consider Right to be forgotten - under Legal obligation we have to retain donor details for 6 years ICO comment we can refuse to delete donor records in order to comply with Legal Obligations. Need to make donors aware transparency

What we need to consider Consent need to ask donors to update their details ie change of address for opt in and outs ICO comment Can ask donors to keep their records up to date by post to comply with legal obligations, but not by email, as this needs consent. Need to give the donor greater control

Clear Guidance On legal obligation, charities are under a legal obligation to obtain and retain certain personal data in relation to claims for Gift Aid. However, they are not under a legal obligation to solicit donations. So any data processing that underpins those activities will be on the basis of legitimate interests and are decisions for individual charities to make for themselves.

Clear Guidance Donor giving us their gift aid details - consent We making a claim to HMRC - is covered by legal obligation. We can't rely on consent, as they could withdraw it, but it is in our interests to get more money, so this is our legitimate interest. Unless we have money we can't provide our services. Keeping the details for 6 years - legal obligation And although there can be all these different legal bases for the different parts of the process, the one we can use to cover all of it, is legitimate interests.

Clear Guidance Data minimisation HMRC s expectations on record keeping for audit purposes only, and explicitly that after this has elapsed those records are destroyed. Storage limitations Data being held in regard of enduring GAD s. Retention periods for non active donors should be considered. We should not be holding data for longer than necessary.

Clear Guidance Clear information in your Privacy Statements to inform the donor of What you are collecting the data for How long it will be retained Who it will be shared with 3 rd parties Data Cleansing - matching with national records Royal Mail redirect etc

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback